DOD details strict flash drive rules

The Defense Department was able to lift a ban on portable storage devices such as thumb drives because of changes to DOD computer systems that make the devices safer to use, Vice Adm. Carl Mauney, deputy commander of the U.S. Strategic Command, said today. But that doesn't mean personnel have carte blanche. DOD still maintains strict rules for the devices.

“After extensive testing of mitigation measures, DOD decided to make this technology available again on a strictly controlled basis on DOD computers,” Mauney said via e-mail. “Since the order restricting use of removable media, DOD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

The new policy, issued Feb. 12, only applies to government-procured and government-owned devices, Mauney said. Personally owned devices are still barred from all DOD networks and computers. Flash media can only be used as a last resort to transfer data from one location to another, and only when other authorized network resources are not available, he said. Related story:

Randomly selected users and drives will be subject to periodic auditing, under the new policy. Individual services and agencies will determine whether flash media may be used in their individual organizations, Mauney said.

Some in the military found the all out ban too restrictive, according to one DOD source. The new policy is a compromise.

“This is not a return to 'business as usual,'” Mauney said. “There remain strict limitations on using these devices. Use will be permitted only in DOD computers that are in compliance with requirements for hardware that allows for safe transfer of data.”

For now, Army officials plan to keep the ban on flash drives in place, according to the Army News Service.

“We are currently conducting mission analysis in order to provide guidance for the Army's safe return of thumb drives and flash media,” officials from the Army Global Network Operations Security Center said, according to the news service.

The ban was issued in November 2008 after a virus was found to be spreading through military networks by copying itself from one removable drive to another. The ban covered all forms of USB flash media, such as thumb drives, memory sticks and cards, and camera memory cards, as well as some other removable media.

The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

Reader comments

Mon, Mar 1, 2010
Radagast

The best solution is no local storage. My employer requires that all data remain on network volumes at all times. We don't allow storage on local devices. Our staff don't even have full laptops, they have diskless thin clients. All their work occurs on a Citrix server farm.
The only exception is the use of a USB stick for the purpose of obtaining a file from an external party (we are a government audit agency) and uploading it to the network the next time they're on their thin client. The need is rare. We use Ironkey thumb drives for this purpose, as encryption is mandatory and the devices can be centrally provisioned, deprovisioned, and even destroyed. If someone has 10 failed p/w attempts, it self destructs. If it is accessed 10 times without being attached to the internet, it self destructs.
The staff also have local scanners, but they scan directly to the network.
Keep all your data on the network, and there is no risk of lost data if a local device is damaged, lost or stolen.

Sun, Feb 28, 2010

Alan said: "I agree: security is #1. But can individuals who can be trusted with classified information be trusted with flash and SD cards too? It sure would make that matter more efficient." Considering that of the flash devices analized after being seized, a good percentage contained classified information uname/pword combo to SIPRnet, TOs, AFIs, etc...I'd say not. The average user, regardless of profession or clearance level, they simply don't understand the risk these devices pose to a network. Of the member's I interviewed after a network security incident involving USB drives, many cite "need" over "consequences".

Fri, Feb 26, 2010

With numerous occurences of spyware/malware arriving pre-installed on thumbdrives and flash media from factories in Asia...formattable digital media presents a safer starting point for file transfer. That being said, ANY storage medium has inherent risks and it falls on the shoulders of us trusted users to follow the security guidelines and safeguard government data.

Thu, Feb 25, 2010

We do a lot of work developing training for the USAF. When we take a photo of the aircraft's equipment, we download the image from the camera to a PC that is owned by our company, process the image, burn it to a CD-ROM, insert the CD into a networked military owned PC, save the image to our working databases, then drop the CD in a CD shredder. How is this safer for the systems than using an approved thumb drive?

Thu, Feb 25, 2010
Bergy

Instead of carrying a thumb or flash drive on official business trips, containing training and briefing presentations, I now carry over a dozen DVD, properly marked, in my briefcase. Each time the presentation is updated, more DVDs are needed. I have a TS clearance and should be trusted to follow proper security procedures with a government issued flash or thumb drive.